Rowland, I did forget to change it. Is it as simple as renaming now or did I screw up? On 1/2/2015 12:18 PM, Rowland Penny wrote:> On 02/01/15 17:07, James wrote: >> Rowland, >> >> I had a typo in my hosts file which is the reason my initial DNS >> update failed. Corrected and joined again. Successfully joined and >> updated DNS A record. I then made sure to give 'Domain users' a id of >> 10000. I am now able to run' getent passwd' and see all my domain >> users! YES! However I still see something that confuses me. When I >> run 'id tuser' I get the following. >> >> uid=2155(tuser) gid=2002(domain_users) >> groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users) >> >> Why is the uid 2155 and not 10001? >> >> >> >> On 1/2/2015 12:00 PM, Rowland Penny wrote: >>> On 02/01/15 16:57, James wrote: >>>> Rowland, >>>> >>>> I've gotten a bit further. It appears my use of '.local' is >>>> causing the issue from what I've researched. I ran >>>> '|/etc/init.d/avahi-daemon stop'. |This allowed me to successfully >>>> join the domain. >>>> >>>> Enter administrator at DOMAIN.LOCAL's password: >>>> Using short domain name -- DOMAIN >>>> Joined 'PFMEMBER1' to dns domain 'domain.local' >>>> DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED >>>> DNS update failed: NT_STATUS_UNSUCCESSFUL >>>> || >>>> On 1/2/2015 8:55 AM, Rowland Penny wrote: >>>>> On 02/01/15 13:41, James wrote: >>>>>> Hi Rowland, >>>>>> >>>>>> If you don't mind I like to post my member server >>>>>> configuration as I attempt again. This is how my member >>>>>> server(Ubuntu 12.04) is configured after fresh install and prior >>>>>> to Samba build. Anything I'm missing that could cause my issue as >>>>>> I proceed? I assume no other prerequisites must be done on the >>>>>> other DC's either? Thanks. >>>>>> >>>>>> /*# From Wiki for DC build*/ >>>>>> apt-get install build-essential libacl1-dev libattr1-dev >>>>>> libblkid-dev libgnutls-dev libreadline-dev python-dev >>>>>> libpam0g-dev python-dnspython gdb pkg-config libpopt-dev >>>>>> libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl >>>>>> libcups2-dev acl >>>>>> >>>>>> >>>>>> /*# Fstab file*/ >>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1 >>>>>> >>>>>> >>>>>> */# Hosts File/* >>>>>> 127.0.0.1 localhost >>>>>> 172.16.232.25 pfmember1.domain.local pfmember1 >>>>>> >>>>>> # The following lines are desirable for IPv6 capable hosts >>>>>> ::1 ip6-localhost ip6-loopback >>>>>> fe00::0 ip6-localnet >>>>>> ff00::0 ip6-mcastprefix >>>>>> ff02::1 ip6-allnodes >>>>>> ff02::2 ip6-allrouters >>>>>> >>>>>> >>>>>> */# Hostname/* */File/* >>>>>> pfmember1.domain.local >>>>> >>>>> if you are referring to /etc/hostname, then it should just contain >>>>> 'pfmember1'. >>>>> >>>>> Also, are you fixed on using Ubuntu 12.04, if you were to use >>>>> Debian Wheezy and backports, you wouldn't have to compile samba4. >>>>> >>>>> Rowland >>>>> >>>>>> >>>>>> */#/network/interfaces/* >>>>>> # This file describes the network interfaces available on your system >>>>>> # and how to activate them. For more information, see interfaces(5). >>>>>> >>>>>> # The loopback network interface >>>>>> auto lo >>>>>> iface lo inet loopback >>>>>> >>>>>> # The primary network interface >>>>>> auto eth0 >>>>>> iface eth0 inet static >>>>>> address 172.16.232.25 >>>>>> netmask 255.255.255.0 >>>>>> gateway 172.16.232.201 >>>>>> network 172.16.232.0 >>>>>> broadcast 172.16.232.255 >>>>>> dns-search domain.local >>>>>> dns-nameservers 172.16.232.29 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote: >>>>>>> On 01/01/15 00:07, James wrote: >>>>>>>> Hi Rowland, >>>>>>>> >>>>>>>> I forgot to tell you the results were from my Domain >>>>>>>> Controller and not the member server. Member server returned >>>>>>>> something to the effect of 'user not found'. I am only starting >>>>>>>> the 3 services(smbd,nmbd and windbindd) listed in the wiki. >>>>>>>> Should I be starting Samba with command line switches to start >>>>>>>> as a member server? Is that even possible? >>>>>>> >>>>>>> Hi, there are two ways of running samba4, the classic or >>>>>>> original way that samba3 was used, or as an AD DC. If you run >>>>>>> samba4 in the classic way, you need to start the smbd & nmbd >>>>>>> deamons and optionally the winbind daemon. If you use samba4 as >>>>>>> an AD DC, then you only start the samba daemon, this will start >>>>>>> any other required deamons, you only start the samba daemon on >>>>>>> an AD DC. >>>>>>> >>>>>>> As you are trying to set up a member server, you must carry out >>>>>>> the tests on the member server. >>>>>>> >>>>>>> Rowland >>>>>>> >>>>>>>> >>>>>>>> Thanks for you smb.conf. I will attempt again using your >>>>>>>> smb.conf as a template and try again. >>>>>>>> >>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote: >>>>>>>>> On 31/12/14 19:07, James wrote: >>>>>>>>>> Rowland, >>>>>>>>>> >>>>>>>>>> I decided to start over with a fresh install and >>>>>>>>>> attempted again. Only change I made was to start my mappings >>>>>>>>>> at 10000. I gave 'Domain Users' group gid 10000 and 'tuser' >>>>>>>>>> has uid 10001. Still didn't work btw. >>>>>>>>>> >>>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local >>>>>>>>>> objectClass: top >>>>>>>>>> objectClass: person >>>>>>>>>> objectClass: organizationalPerson >>>>>>>>>> objectClass: user >>>>>>>>>> cn: Test User >>>>>>>>>> sn: User >>>>>>>>>> givenName: Test >>>>>>>>>> instanceType: 4 >>>>>>>>>> whenCreated: 20141231172021.0Z >>>>>>>>>> displayName: Test User >>>>>>>>>> uSNCreated: 477557 >>>>>>>>>> name: Test User >>>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78 >>>>>>>>>> userAccountControl: 66048 >>>>>>>>>> codePage: 0 >>>>>>>>>> countryCode: 0 >>>>>>>>>> pwdLastSet: 130645200220000000 >>>>>>>>>> primaryGroupID: 513 >>>>>>>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126 >>>>>>>>>> accountExpires: 9223372036854775807 >>>>>>>>>> sAMAccountName: tuser >>>>>>>>>> sAMAccountType: 805306368 >>>>>>>>>> userPrincipalName: tuser at domain.local >>>>>>>>>> objectCategory: >>>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local >>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890 >>>>>>>>>> uid: tuser >>>>>>>>>> msSFU30Name: tuser >>>>>>>>>> msSFU30NisDomain: domain >>>>>>>>>> uidNumber: 10001 >>>>>>>>>> loginShell: /bin/sh >>>>>>>>>> unixHomeDirectory: /home/tuser >>>>>>>>>> gidNumber: 10000 >>>>>>>>>> whenChanged: 20141231185807.0Z >>>>>>>>>> uSNChanged: 477620 >>>>>>>>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote: >>>>>>>>>>> On 31/12/14 18:28, James wrote: >>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>> >>>>>>>>>>>> passwd: compat winbind >>>>>>>>>>>> group: compat winbind >>>>>>>>>>>> >>>>>>>>>>>> 'getent passwd tuser' results in a blank terminal line. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote: >>>>>>>>>>>>> On 31/12/14 17:55, James wrote: >>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>> >>>>>>>>>>>>>> I did. Unfortunately something is still amiss. I do >>>>>>>>>>>>>> receive a response from 'getent group domain >>>>>>>>>>>>>> users'(users:x:100). >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote: >>>>>>>>>>>>>>> On 31/12/14 17:23, James wrote: >>>>>>>>>>>>>>>> Rowland, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I set a user with a uid and domain users group with >>>>>>>>>>>>>>>> a gid but I'm still unable to view them using 'id'. I >>>>>>>>>>>>>>>> do notice a few strange observations. If I go to >>>>>>>>>>>>>>>> another user to attempt to assign a uid. I get the >>>>>>>>>>>>>>>> default value of 10000. I would expect 2001 given I set >>>>>>>>>>>>>>>> the first user with uid 2000. Groups however appear to >>>>>>>>>>>>>>>> increment. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote: >>>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote: >>>>>>>>>>>>>>>>>> Hello Stefan, >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> I learned the hard way about .local. I understand >>>>>>>>>>>>>>>>>> going forward. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> I do have an issue with the member server. Following >>>>>>>>>>>>>>>>>> along with the wiki I get stuck at 'Testing the >>>>>>>>>>>>>>>>>> Winbind user/group mapping'. Wbinfo works as expected >>>>>>>>>>>>>>>>>> but not >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> #*id DomainUser* >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> #*getent passwd* >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> #*getent group* >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file* >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> #*chgrp DomainGroup file* >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> etc. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It will only >>>>>>>>>>>>>>>>>> retrieve local machine users. Let me preface by >>>>>>>>>>>>>>>>>> saying this is a Ubuntu 12.04 server with Samba >>>>>>>>>>>>>>>>>> 4.1.14. Thanks. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote: >>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>>>>>>>>>>>>>> Hash: SHA1 >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Hello James, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello, >>>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a Samba AD >>>>>>>>>>>>>>>>>>>> Member Server) >>>>>>>>>>>>>>>>>>>> and I have a question after reading the 'Set up a >>>>>>>>>>>>>>>>>>>> basic smb.conf' >>>>>>>>>>>>>>>>>>>> section. >>>>>>>>>>>>>>>>>>> Please show us your smb.conf >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Do I need to extend the schema in order for my >>>>>>>>>>>>>>>>>>> member server to >>>>>>>>>>>>>>>>>>>> successfully join and service file shares? >>>>>>>>>>>>>>>>>>> No, you dont have to. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Do I need to configure a >>>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks. >>>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf to >>>>>>>>>>>>>>>>>>> your new memberserver >>>>>>>>>>>>>>>>>>> Stefan >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> - -- Stefan Kania >>>>>>>>>>>>>>>>>>> Landweg 13 >>>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu reduzieren. >>>>>>>>>>>>>>>>>>> Signieren Sie ihre >>>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter http://www.gnupg.org >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Mein Schl?ssel liegt auf >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE----- >>>>>>>>>>>>>>>>>>> Version: GnuPG v1 >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7 >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN >>>>>>>>>>>>>>>>>>> =SOSt >>>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE----- >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> If you followed the wiki, you will be using the 'ad' >>>>>>>>>>>>>>>>> backend. For this to work, you need to add 'uidNumber' >>>>>>>>>>>>>>>>> attributes to your users and a 'gidNumber' attribute >>>>>>>>>>>>>>>>> to at least the Domain Users group. the numbers that >>>>>>>>>>>>>>>>> you add must be between the range you set in your >>>>>>>>>>>>>>>>> smb.conf, again if you followed the wiki, this will be >>>>>>>>>>>>>>>>> between 500-40000. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> You have restarted samba, haven't you ? >>>>>>>>>>>>>>> You may have to wait a short time, or clear the cache >>>>>>>>>>>>>>> with 'net cache flush' >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines from >>>>>>>>>>>>> /etc/nsswitch >>>>>>>>>>>>> >>>>>>>>>>>>> Do you get anything from 'getent passwd <a domain user>' >>>>>>>>>>>>> >>>>>>>>>>>>> Rowland >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> OK, install ldb-tools if not already installed, then run: >>>>>>>>>>> >>>>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb >>>>>>>>>>> sAMAccountName=tuser >>>>>>>>>>> >>>>>>>>>>> Post the (sanitized) result >>>>>>>>>>> >>>>>>>>>>> Rowland >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> OK, you added that user with ADUC (RSAT) and as such you are >>>>>>>>> using the std windows start number 10000, which is the way I >>>>>>>>> run samba. Here is my smb.conf from the laptop I am writing >>>>>>>>> this on: >>>>>>>>> >>>>>>>>> [global] >>>>>>>>> workgroup = EXAMPLE >>>>>>>>> security = ADS >>>>>>>>> realm = EXAMPLE.COM >>>>>>>>> dedicated keytab file = /etc/krb5.keytab >>>>>>>>> kerberos method = secrets and keytab >>>>>>>>> server string = Samba 4 Client %h >>>>>>>>> winbind enum users = yes >>>>>>>>> winbind enum groups = yes >>>>>>>>> winbind use default domain = yes >>>>>>>>> winbind expand groups = 4 >>>>>>>>> winbind nss info = rfc2307 >>>>>>>>> winbind refresh tickets = Yes >>>>>>>>> winbind normalize names = Yes >>>>>>>>> idmap config * : backend = tdb >>>>>>>>> idmap config * : range = 2000-9999 >>>>>>>>> idmap config EXAMPLE : backend = ad >>>>>>>>> idmap config EXAMPLE : range = 10000-999999 >>>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307 >>>>>>>>> printcap name = cups >>>>>>>>> cups options = raw >>>>>>>>> usershare allow guests = yes >>>>>>>>> domain master = no >>>>>>>>> local master = no >>>>>>>>> preferred master = no >>>>>>>>> os level = 20 >>>>>>>>> map to guest = bad user >>>>>>>>> vfs objects = acl_xattr >>>>>>>>> map acl inherit = Yes >>>>>>>>> store dos attributes = Yes >>>>>>>>> >>>>>>>>> Compare it with yours, I can assure you it works. >>>>>>>>> >>>>>>>>> Rowland >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> -James >>>>> >>>> >>>> -- >>>> -James >>> >>> OK, you have *now* found out one of the reasons you shouldn't use >>> the .local suffix >>> >>> But does anything else work? >>> >>> Rowland >> >> -- >> -James > > OK, well it seems to be a step in the right direction :-) > > Have you changed 'EXAMPLE' in these lines: > > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > idmap config EXAMPLE : backend = ad > idmap config EXAMPLE : range = 10000-999999 > idmap config EXAMPLE:schema_mode = rfc2307 > > They need to be changed for your *WORKGROUP* name. > > Rowland > >-- -James
On 02/01/15 17:26, James wrote:> Rowland, > > I did forget to change it. Is it as simple as renaming now or did > I screw up? > > On 1/2/2015 12:18 PM, Rowland Penny wrote: >> On 02/01/15 17:07, James wrote: >>> Rowland, >>> >>> I had a typo in my hosts file which is the reason my initial DNS >>> update failed. Corrected and joined again. Successfully joined and >>> updated DNS A record. I then made sure to give 'Domain users' a id >>> of 10000. I am now able to run' getent passwd' and see all my domain >>> users! YES! However I still see something that confuses me. When I >>> run 'id tuser' I get the following. >>> >>> uid=2155(tuser) gid=2002(domain_users) >>> groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users) >>> >>> Why is the uid 2155 and not 10001? >>> >>> >>> >>> On 1/2/2015 12:00 PM, Rowland Penny wrote: >>>> On 02/01/15 16:57, James wrote: >>>>> Rowland, >>>>> >>>>> I've gotten a bit further. It appears my use of '.local' is >>>>> causing the issue from what I've researched. I ran >>>>> '|/etc/init.d/avahi-daemon stop'. |This allowed me to successfully >>>>> join the domain. >>>>> >>>>> Enter administrator at DOMAIN.LOCAL's password: >>>>> Using short domain name -- DOMAIN >>>>> Joined 'PFMEMBER1' to dns domain 'domain.local' >>>>> DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED >>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL >>>>> || >>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote: >>>>>> On 02/01/15 13:41, James wrote: >>>>>>> Hi Rowland, >>>>>>> >>>>>>> If you don't mind I like to post my member server >>>>>>> configuration as I attempt again. This is how my member >>>>>>> server(Ubuntu 12.04) is configured after fresh install and prior >>>>>>> to Samba build. Anything I'm missing that could cause my issue >>>>>>> as I proceed? I assume no other prerequisites must be done on >>>>>>> the other DC's either? Thanks. >>>>>>> >>>>>>> /*# From Wiki for DC build*/ >>>>>>> apt-get install build-essential libacl1-dev libattr1-dev >>>>>>> libblkid-dev libgnutls-dev libreadline-dev python-dev >>>>>>> libpam0g-dev python-dnspython gdb pkg-config libpopt-dev >>>>>>> libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl >>>>>>> libcups2-dev acl >>>>>>> >>>>>>> >>>>>>> /*# Fstab file*/ >>>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1 >>>>>>> >>>>>>> >>>>>>> */# Hosts File/* >>>>>>> 127.0.0.1 localhost >>>>>>> 172.16.232.25 pfmember1.domain.local pfmember1 >>>>>>> >>>>>>> # The following lines are desirable for IPv6 capable hosts >>>>>>> ::1 ip6-localhost ip6-loopback >>>>>>> fe00::0 ip6-localnet >>>>>>> ff00::0 ip6-mcastprefix >>>>>>> ff02::1 ip6-allnodes >>>>>>> ff02::2 ip6-allrouters >>>>>>> >>>>>>> >>>>>>> */# Hostname/* */File/* >>>>>>> pfmember1.domain.local >>>>>> >>>>>> if you are referring to /etc/hostname, then it should just >>>>>> contain 'pfmember1'. >>>>>> >>>>>> Also, are you fixed on using Ubuntu 12.04, if you were to use >>>>>> Debian Wheezy and backports, you wouldn't have to compile samba4. >>>>>> >>>>>> Rowland >>>>>> >>>>>>> >>>>>>> */#/network/interfaces/* >>>>>>> # This file describes the network interfaces available on your >>>>>>> system >>>>>>> # and how to activate them. For more information, see interfaces(5). >>>>>>> >>>>>>> # The loopback network interface >>>>>>> auto lo >>>>>>> iface lo inet loopback >>>>>>> >>>>>>> # The primary network interface >>>>>>> auto eth0 >>>>>>> iface eth0 inet static >>>>>>> address 172.16.232.25 >>>>>>> netmask 255.255.255.0 >>>>>>> gateway 172.16.232.201 >>>>>>> network 172.16.232.0 >>>>>>> broadcast 172.16.232.255 >>>>>>> dns-search domain.local >>>>>>> dns-nameservers 172.16.232.29 >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote: >>>>>>>> On 01/01/15 00:07, James wrote: >>>>>>>>> Hi Rowland, >>>>>>>>> >>>>>>>>> I forgot to tell you the results were from my Domain >>>>>>>>> Controller and not the member server. Member server returned >>>>>>>>> something to the effect of 'user not found'. I am only >>>>>>>>> starting the 3 services(smbd,nmbd and windbindd) listed in the >>>>>>>>> wiki. Should I be starting Samba with command line switches to >>>>>>>>> start as a member server? Is that even possible? >>>>>>>> >>>>>>>> Hi, there are two ways of running samba4, the classic or >>>>>>>> original way that samba3 was used, or as an AD DC. If you run >>>>>>>> samba4 in the classic way, you need to start the smbd & nmbd >>>>>>>> deamons and optionally the winbind daemon. If you use samba4 as >>>>>>>> an AD DC, then you only start the samba daemon, this will start >>>>>>>> any other required deamons, you only start the samba daemon on >>>>>>>> an AD DC. >>>>>>>> >>>>>>>> As you are trying to set up a member server, you must carry out >>>>>>>> the tests on the member server. >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>>>>> >>>>>>>>> Thanks for you smb.conf. I will attempt again using your >>>>>>>>> smb.conf as a template and try again. >>>>>>>>> >>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote: >>>>>>>>>> On 31/12/14 19:07, James wrote: >>>>>>>>>>> Rowland, >>>>>>>>>>> >>>>>>>>>>> I decided to start over with a fresh install and >>>>>>>>>>> attempted again. Only change I made was to start my mappings >>>>>>>>>>> at 10000. I gave 'Domain Users' group gid 10000 and 'tuser' >>>>>>>>>>> has uid 10001. Still didn't work btw. >>>>>>>>>>> >>>>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local >>>>>>>>>>> objectClass: top >>>>>>>>>>> objectClass: person >>>>>>>>>>> objectClass: organizationalPerson >>>>>>>>>>> objectClass: user >>>>>>>>>>> cn: Test User >>>>>>>>>>> sn: User >>>>>>>>>>> givenName: Test >>>>>>>>>>> instanceType: 4 >>>>>>>>>>> whenCreated: 20141231172021.0Z >>>>>>>>>>> displayName: Test User >>>>>>>>>>> uSNCreated: 477557 >>>>>>>>>>> name: Test User >>>>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78 >>>>>>>>>>> userAccountControl: 66048 >>>>>>>>>>> codePage: 0 >>>>>>>>>>> countryCode: 0 >>>>>>>>>>> pwdLastSet: 130645200220000000 >>>>>>>>>>> primaryGroupID: 513 >>>>>>>>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126 >>>>>>>>>>> accountExpires: 9223372036854775807 >>>>>>>>>>> sAMAccountName: tuser >>>>>>>>>>> sAMAccountType: 805306368 >>>>>>>>>>> userPrincipalName: tuser at domain.local >>>>>>>>>>> objectCategory: >>>>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local >>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890 >>>>>>>>>>> uid: tuser >>>>>>>>>>> msSFU30Name: tuser >>>>>>>>>>> msSFU30NisDomain: domain >>>>>>>>>>> uidNumber: 10001 >>>>>>>>>>> loginShell: /bin/sh >>>>>>>>>>> unixHomeDirectory: /home/tuser >>>>>>>>>>> gidNumber: 10000 >>>>>>>>>>> whenChanged: 20141231185807.0Z >>>>>>>>>>> uSNChanged: 477620 >>>>>>>>>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote: >>>>>>>>>>>> On 31/12/14 18:28, James wrote: >>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>> >>>>>>>>>>>>> passwd: compat winbind >>>>>>>>>>>>> group: compat winbind >>>>>>>>>>>>> >>>>>>>>>>>>> 'getent passwd tuser' results in a blank terminal line. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote: >>>>>>>>>>>>>> On 31/12/14 17:55, James wrote: >>>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I did. Unfortunately something is still amiss. I do >>>>>>>>>>>>>>> receive a response from 'getent group domain >>>>>>>>>>>>>>> users'(users:x:100). >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>> On 31/12/14 17:23, James wrote: >>>>>>>>>>>>>>>>> Rowland, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I set a user with a uid and domain users group >>>>>>>>>>>>>>>>> with a gid but I'm still unable to view them using >>>>>>>>>>>>>>>>> 'id'. I do notice a few strange observations. If I go >>>>>>>>>>>>>>>>> to another user to attempt to assign a uid. I get the >>>>>>>>>>>>>>>>> default value of 10000. I would expect 2001 given I >>>>>>>>>>>>>>>>> set the first user with uid 2000. Groups however >>>>>>>>>>>>>>>>> appear to increment. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote: >>>>>>>>>>>>>>>>>>> Hello Stefan, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I learned the hard way about .local. I >>>>>>>>>>>>>>>>>>> understand going forward. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I do have an issue with the member server. Following >>>>>>>>>>>>>>>>>>> along with the wiki I get stuck at 'Testing the >>>>>>>>>>>>>>>>>>> Winbind user/group mapping'. Wbinfo works as >>>>>>>>>>>>>>>>>>> expected but not >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> #*id DomainUser* >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> #*getent passwd* >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> #*getent group* >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file* >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> #*chgrp DomainGroup file* >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> etc. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It will >>>>>>>>>>>>>>>>>>> only retrieve local machine users. Let me preface by >>>>>>>>>>>>>>>>>>> saying this is a Ubuntu 12.04 server with Samba >>>>>>>>>>>>>>>>>>> 4.1.14. Thanks. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote: >>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>>>>>>>>>>>>>>> Hash: SHA1 >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Hello James, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello, >>>>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a Samba AD >>>>>>>>>>>>>>>>>>>>> Member Server) >>>>>>>>>>>>>>>>>>>>> and I have a question after reading the 'Set up a >>>>>>>>>>>>>>>>>>>>> basic smb.conf' >>>>>>>>>>>>>>>>>>>>> section. >>>>>>>>>>>>>>>>>>>> Please show us your smb.conf >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Do I need to extend the schema in order for my >>>>>>>>>>>>>>>>>>>> member server to >>>>>>>>>>>>>>>>>>>>> successfully join and service file shares? >>>>>>>>>>>>>>>>>>>> No, you dont have to. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Do I need to configure a >>>>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks. >>>>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf to >>>>>>>>>>>>>>>>>>>> your new memberserver >>>>>>>>>>>>>>>>>>>> Stefan >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> - -- Stefan Kania >>>>>>>>>>>>>>>>>>>> Landweg 13 >>>>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu reduzieren. >>>>>>>>>>>>>>>>>>>> Signieren Sie ihre >>>>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter >>>>>>>>>>>>>>>>>>>> http://www.gnupg.org >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Mein Schl?ssel liegt auf >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE----- >>>>>>>>>>>>>>>>>>>> Version: GnuPG v1 >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7 >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN >>>>>>>>>>>>>>>>>>>> =SOSt >>>>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE----- >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> If you followed the wiki, you will be using the 'ad' >>>>>>>>>>>>>>>>>> backend. For this to work, you need to add >>>>>>>>>>>>>>>>>> 'uidNumber' attributes to your users and a >>>>>>>>>>>>>>>>>> 'gidNumber' attribute to at least the Domain Users >>>>>>>>>>>>>>>>>> group. the numbers that you add must be between the >>>>>>>>>>>>>>>>>> range you set in your smb.conf, again if you followed >>>>>>>>>>>>>>>>>> the wiki, this will be between 500-40000. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> You have restarted samba, haven't you ? >>>>>>>>>>>>>>>> You may have to wait a short time, or clear the cache >>>>>>>>>>>>>>>> with 'net cache flush' >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines from >>>>>>>>>>>>>> /etc/nsswitch >>>>>>>>>>>>>> >>>>>>>>>>>>>> Do you get anything from 'getent passwd <a domain user>' >>>>>>>>>>>>>> >>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> OK, install ldb-tools if not already installed, then run: >>>>>>>>>>>> >>>>>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb >>>>>>>>>>>> sAMAccountName=tuser >>>>>>>>>>>> >>>>>>>>>>>> Post the (sanitized) result >>>>>>>>>>>> >>>>>>>>>>>> Rowland >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> OK, you added that user with ADUC (RSAT) and as such you are >>>>>>>>>> using the std windows start number 10000, which is the way I >>>>>>>>>> run samba. Here is my smb.conf from the laptop I am writing >>>>>>>>>> this on: >>>>>>>>>> >>>>>>>>>> [global] >>>>>>>>>> workgroup = EXAMPLE >>>>>>>>>> security = ADS >>>>>>>>>> realm = EXAMPLE.COM >>>>>>>>>> dedicated keytab file = /etc/krb5.keytab >>>>>>>>>> kerberos method = secrets and keytab >>>>>>>>>> server string = Samba 4 Client %h >>>>>>>>>> winbind enum users = yes >>>>>>>>>> winbind enum groups = yes >>>>>>>>>> winbind use default domain = yes >>>>>>>>>> winbind expand groups = 4 >>>>>>>>>> winbind nss info = rfc2307 >>>>>>>>>> winbind refresh tickets = Yes >>>>>>>>>> winbind normalize names = Yes >>>>>>>>>> idmap config * : backend = tdb >>>>>>>>>> idmap config * : range = 2000-9999 >>>>>>>>>> idmap config EXAMPLE : backend = ad >>>>>>>>>> idmap config EXAMPLE : range = 10000-999999 >>>>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307 >>>>>>>>>> printcap name = cups >>>>>>>>>> cups options = raw >>>>>>>>>> usershare allow guests = yes >>>>>>>>>> domain master = no >>>>>>>>>> local master = no >>>>>>>>>> preferred master = no >>>>>>>>>> os level = 20 >>>>>>>>>> map to guest = bad user >>>>>>>>>> vfs objects = acl_xattr >>>>>>>>>> map acl inherit = Yes >>>>>>>>>> store dos attributes = Yes >>>>>>>>>> >>>>>>>>>> Compare it with yours, I can assure you it works. >>>>>>>>>> >>>>>>>>>> Rowland >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> -James >>>>>> >>>>> >>>>> -- >>>>> -James >>>> >>>> OK, you have *now* found out one of the reasons you shouldn't use >>>> the .local suffix >>>> >>>> But does anything else work? >>>> >>>> Rowland >>> >>> -- >>> -James >> >> OK, well it seems to be a step in the right direction :-) >> >> Have you changed 'EXAMPLE' in these lines: >> >> idmap config * : backend = tdb >> idmap config * : range = 2000-9999 >> idmap config EXAMPLE : backend = ad >> idmap config EXAMPLE : range = 10000-999999 >> idmap config EXAMPLE:schema_mode = rfc2307 >> >> They need to be changed for your *WORKGROUP* name. >> >> Rowland >> >> > > -- > -JamesJust change it, stop samba and winbind, run 'net cache flush' and restart samba & winbind. Rowland
Rowland, That did it! Thank you so much. I do have a question regarding the 'getent' command before setting up file shares. When I run 'getent group Domain\ Users' I get domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8 Why does it show these specific users? I would assume it would only show my 'tuser'. I don't have uid's set for anyone else. On 1/2/2015 12:38 PM, Rowland Penny wrote:> On 02/01/15 17:26, James wrote: >> Rowland, >> >> I did forget to change it. Is it as simple as renaming now or did >> I screw up? >> >> On 1/2/2015 12:18 PM, Rowland Penny wrote: >>> On 02/01/15 17:07, James wrote: >>>> Rowland, >>>> >>>> I had a typo in my hosts file which is the reason my initial >>>> DNS update failed. Corrected and joined again. Successfully joined >>>> and updated DNS A record. I then made sure to give 'Domain users' a >>>> id of 10000. I am now able to run' getent passwd' and see all my >>>> domain users! YES! However I still see something that confuses me. >>>> When I run 'id tuser' I get the following. >>>> >>>> uid=2155(tuser) gid=2002(domain_users) >>>> groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users) >>>> >>>> Why is the uid 2155 and not 10001? >>>> >>>> >>>> >>>> On 1/2/2015 12:00 PM, Rowland Penny wrote: >>>>> On 02/01/15 16:57, James wrote: >>>>>> Rowland, >>>>>> >>>>>> I've gotten a bit further. It appears my use of '.local' is >>>>>> causing the issue from what I've researched. I ran >>>>>> '|/etc/init.d/avahi-daemon stop'. |This allowed me to >>>>>> successfully join the domain. >>>>>> >>>>>> Enter administrator at DOMAIN.LOCAL's password: >>>>>> Using short domain name -- DOMAIN >>>>>> Joined 'PFMEMBER1' to dns domain 'domain.local' >>>>>> DNS Update for pfmember1.local failed: ERROR_DNS_UPDATE_FAILED >>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL >>>>>> || >>>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote: >>>>>>> On 02/01/15 13:41, James wrote: >>>>>>>> Hi Rowland, >>>>>>>> >>>>>>>> If you don't mind I like to post my member server >>>>>>>> configuration as I attempt again. This is how my member >>>>>>>> server(Ubuntu 12.04) is configured after fresh install and >>>>>>>> prior to Samba build. Anything I'm missing that could cause my >>>>>>>> issue as I proceed? I assume no other prerequisites must be >>>>>>>> done on the other DC's either? Thanks. >>>>>>>> >>>>>>>> /*# From Wiki for DC build*/ >>>>>>>> apt-get install build-essential libacl1-dev libattr1-dev >>>>>>>> libblkid-dev libgnutls-dev libreadline-dev python-dev >>>>>>>> libpam0g-dev python-dnspython gdb pkg-config libpopt-dev >>>>>>>> libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl >>>>>>>> libcups2-dev acl >>>>>>>> >>>>>>>> >>>>>>>> /*# Fstab file*/ >>>>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1 >>>>>>>> >>>>>>>> >>>>>>>> */# Hosts File/* >>>>>>>> 127.0.0.1 localhost >>>>>>>> 172.16.232.25 pfmember1.domain.local pfmember1 >>>>>>>> >>>>>>>> # The following lines are desirable for IPv6 capable hosts >>>>>>>> ::1 ip6-localhost ip6-loopback >>>>>>>> fe00::0 ip6-localnet >>>>>>>> ff00::0 ip6-mcastprefix >>>>>>>> ff02::1 ip6-allnodes >>>>>>>> ff02::2 ip6-allrouters >>>>>>>> >>>>>>>> >>>>>>>> */# Hostname/* */File/* >>>>>>>> pfmember1.domain.local >>>>>>> >>>>>>> if you are referring to /etc/hostname, then it should just >>>>>>> contain 'pfmember1'. >>>>>>> >>>>>>> Also, are you fixed on using Ubuntu 12.04, if you were to use >>>>>>> Debian Wheezy and backports, you wouldn't have to compile samba4. >>>>>>> >>>>>>> Rowland >>>>>>> >>>>>>>> >>>>>>>> */#/network/interfaces/* >>>>>>>> # This file describes the network interfaces available on your >>>>>>>> system >>>>>>>> # and how to activate them. For more information, see >>>>>>>> interfaces(5). >>>>>>>> >>>>>>>> # The loopback network interface >>>>>>>> auto lo >>>>>>>> iface lo inet loopback >>>>>>>> >>>>>>>> # The primary network interface >>>>>>>> auto eth0 >>>>>>>> iface eth0 inet static >>>>>>>> address 172.16.232.25 >>>>>>>> netmask 255.255.255.0 >>>>>>>> gateway 172.16.232.201 >>>>>>>> network 172.16.232.0 >>>>>>>> broadcast 172.16.232.255 >>>>>>>> dns-search domain.local >>>>>>>> dns-nameservers 172.16.232.29 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote: >>>>>>>>> On 01/01/15 00:07, James wrote: >>>>>>>>>> Hi Rowland, >>>>>>>>>> >>>>>>>>>> I forgot to tell you the results were from my Domain >>>>>>>>>> Controller and not the member server. Member server returned >>>>>>>>>> something to the effect of 'user not found'. I am only >>>>>>>>>> starting the 3 services(smbd,nmbd and windbindd) listed in >>>>>>>>>> the wiki. Should I be starting Samba with command line >>>>>>>>>> switches to start as a member server? Is that even possible? >>>>>>>>> >>>>>>>>> Hi, there are two ways of running samba4, the classic or >>>>>>>>> original way that samba3 was used, or as an AD DC. If you run >>>>>>>>> samba4 in the classic way, you need to start the smbd & nmbd >>>>>>>>> deamons and optionally the winbind daemon. If you use samba4 >>>>>>>>> as an AD DC, then you only start the samba daemon, this will >>>>>>>>> start any other required deamons, you only start the samba >>>>>>>>> daemon on an AD DC. >>>>>>>>> >>>>>>>>> As you are trying to set up a member server, you must carry >>>>>>>>> out the tests on the member server. >>>>>>>>> >>>>>>>>> Rowland >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thanks for you smb.conf. I will attempt again using your >>>>>>>>>> smb.conf as a template and try again. >>>>>>>>>> >>>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote: >>>>>>>>>>> On 31/12/14 19:07, James wrote: >>>>>>>>>>>> Rowland, >>>>>>>>>>>> >>>>>>>>>>>> I decided to start over with a fresh install and >>>>>>>>>>>> attempted again. Only change I made was to start my >>>>>>>>>>>> mappings at 10000. I gave 'Domain Users' group gid 10000 >>>>>>>>>>>> and 'tuser' has uid 10001. Still didn't work btw. >>>>>>>>>>>> >>>>>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local >>>>>>>>>>>> objectClass: top >>>>>>>>>>>> objectClass: person >>>>>>>>>>>> objectClass: organizationalPerson >>>>>>>>>>>> objectClass: user >>>>>>>>>>>> cn: Test User >>>>>>>>>>>> sn: User >>>>>>>>>>>> givenName: Test >>>>>>>>>>>> instanceType: 4 >>>>>>>>>>>> whenCreated: 20141231172021.0Z >>>>>>>>>>>> displayName: Test User >>>>>>>>>>>> uSNCreated: 477557 >>>>>>>>>>>> name: Test User >>>>>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78 >>>>>>>>>>>> userAccountControl: 66048 >>>>>>>>>>>> codePage: 0 >>>>>>>>>>>> countryCode: 0 >>>>>>>>>>>> pwdLastSet: 130645200220000000 >>>>>>>>>>>> primaryGroupID: 513 >>>>>>>>>>>> objectSid: S-1-5-21-940051827-2291820289-3341758437-3126 >>>>>>>>>>>> accountExpires: 9223372036854775807 >>>>>>>>>>>> sAMAccountName: tuser >>>>>>>>>>>> sAMAccountType: 805306368 >>>>>>>>>>>> userPrincipalName: tuser at domain.local >>>>>>>>>>>> objectCategory: >>>>>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local >>>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890 >>>>>>>>>>>> uid: tuser >>>>>>>>>>>> msSFU30Name: tuser >>>>>>>>>>>> msSFU30NisDomain: domain >>>>>>>>>>>> uidNumber: 10001 >>>>>>>>>>>> loginShell: /bin/sh >>>>>>>>>>>> unixHomeDirectory: /home/tuser >>>>>>>>>>>> gidNumber: 10000 >>>>>>>>>>>> whenChanged: 20141231185807.0Z >>>>>>>>>>>> uSNChanged: 477620 >>>>>>>>>>>> distinguishedName: CN=Test User,CN=Users,DC=domain,DC=local >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote: >>>>>>>>>>>>> On 31/12/14 18:28, James wrote: >>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>> >>>>>>>>>>>>>> passwd: compat winbind >>>>>>>>>>>>>> group: compat winbind >>>>>>>>>>>>>> >>>>>>>>>>>>>> 'getent passwd tuser' results in a blank terminal line. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote: >>>>>>>>>>>>>>> On 31/12/14 17:55, James wrote: >>>>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I did. Unfortunately something is still amiss. I do >>>>>>>>>>>>>>>> receive a response from 'getent group domain >>>>>>>>>>>>>>>> users'(users:x:100). >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>>> On 31/12/14 17:23, James wrote: >>>>>>>>>>>>>>>>>> Rowland, >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> I set a user with a uid and domain users group >>>>>>>>>>>>>>>>>> with a gid but I'm still unable to view them using >>>>>>>>>>>>>>>>>> 'id'. I do notice a few strange observations. If I go >>>>>>>>>>>>>>>>>> to another user to attempt to assign a uid. I get the >>>>>>>>>>>>>>>>>> default value of 10000. I would expect 2001 given I >>>>>>>>>>>>>>>>>> set the first user with uid 2000. Groups however >>>>>>>>>>>>>>>>>> appear to increment. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote: >>>>>>>>>>>>>>>>>>>> Hello Stefan, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I learned the hard way about .local. I >>>>>>>>>>>>>>>>>>>> understand going forward. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I do have an issue with the member server. >>>>>>>>>>>>>>>>>>>> Following along with the wiki I get stuck at >>>>>>>>>>>>>>>>>>>> 'Testing the Winbind user/group mapping'. Wbinfo >>>>>>>>>>>>>>>>>>>> works as expected but not >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> #*id DomainUser* >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> #*getent passwd* >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> #*getent group* >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file* >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> #*chgrp DomainGroup file* >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> etc. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It will >>>>>>>>>>>>>>>>>>>> only retrieve local machine users. Let me preface >>>>>>>>>>>>>>>>>>>> by saying this is a Ubuntu 12.04 server with Samba >>>>>>>>>>>>>>>>>>>> 4.1.14. Thanks. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote: >>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>>>>>>>>>>>>>>>> Hash: SHA1 >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Hello James, >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello, >>>>>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a Samba >>>>>>>>>>>>>>>>>>>>>> AD Member Server) >>>>>>>>>>>>>>>>>>>>>> and I have a question after reading the 'Set up a >>>>>>>>>>>>>>>>>>>>>> basic smb.conf' >>>>>>>>>>>>>>>>>>>>>> section. >>>>>>>>>>>>>>>>>>>>> Please show us your smb.conf >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Do I need to extend the schema in order for my >>>>>>>>>>>>>>>>>>>>> member server to >>>>>>>>>>>>>>>>>>>>>> successfully join and service file shares? >>>>>>>>>>>>>>>>>>>>> No, you dont have to. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Do I need to configure a >>>>>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks. >>>>>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy krb5.conf to >>>>>>>>>>>>>>>>>>>>> your new memberserver >>>>>>>>>>>>>>>>>>>>> Stefan >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> - -- Stefan Kania >>>>>>>>>>>>>>>>>>>>> Landweg 13 >>>>>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu reduzieren. >>>>>>>>>>>>>>>>>>>>> Signieren Sie ihre >>>>>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter >>>>>>>>>>>>>>>>>>>>> http://www.gnupg.org >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Mein Schl?ssel liegt auf >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE----- >>>>>>>>>>>>>>>>>>>>> Version: GnuPG v1 >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7 >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN >>>>>>>>>>>>>>>>>>>>> =SOSt >>>>>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE----- >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> If you followed the wiki, you will be using the 'ad' >>>>>>>>>>>>>>>>>>> backend. For this to work, you need to add >>>>>>>>>>>>>>>>>>> 'uidNumber' attributes to your users and a >>>>>>>>>>>>>>>>>>> 'gidNumber' attribute to at least the Domain Users >>>>>>>>>>>>>>>>>>> group. the numbers that you add must be between the >>>>>>>>>>>>>>>>>>> range you set in your smb.conf, again if you >>>>>>>>>>>>>>>>>>> followed the wiki, this will be between 500-40000. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> You have restarted samba, haven't you ? >>>>>>>>>>>>>>>>> You may have to wait a short time, or clear the cache >>>>>>>>>>>>>>>>> with 'net cache flush' >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines from >>>>>>>>>>>>>>> /etc/nsswitch >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Do you get anything from 'getent passwd <a domain user>' >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> OK, install ldb-tools if not already installed, then run: >>>>>>>>>>>>> >>>>>>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb >>>>>>>>>>>>> sAMAccountName=tuser >>>>>>>>>>>>> >>>>>>>>>>>>> Post the (sanitized) result >>>>>>>>>>>>> >>>>>>>>>>>>> Rowland >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> OK, you added that user with ADUC (RSAT) and as such you are >>>>>>>>>>> using the std windows start number 10000, which is the way I >>>>>>>>>>> run samba. Here is my smb.conf from the laptop I am writing >>>>>>>>>>> this on: >>>>>>>>>>> >>>>>>>>>>> [global] >>>>>>>>>>> workgroup = EXAMPLE >>>>>>>>>>> security = ADS >>>>>>>>>>> realm = EXAMPLE.COM >>>>>>>>>>> dedicated keytab file = /etc/krb5.keytab >>>>>>>>>>> kerberos method = secrets and keytab >>>>>>>>>>> server string = Samba 4 Client %h >>>>>>>>>>> winbind enum users = yes >>>>>>>>>>> winbind enum groups = yes >>>>>>>>>>> winbind use default domain = yes >>>>>>>>>>> winbind expand groups = 4 >>>>>>>>>>> winbind nss info = rfc2307 >>>>>>>>>>> winbind refresh tickets = Yes >>>>>>>>>>> winbind normalize names = Yes >>>>>>>>>>> idmap config * : backend = tdb >>>>>>>>>>> idmap config * : range = 2000-9999 >>>>>>>>>>> idmap config EXAMPLE : backend = ad >>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999 >>>>>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307 >>>>>>>>>>> printcap name = cups >>>>>>>>>>> cups options = raw >>>>>>>>>>> usershare allow guests = yes >>>>>>>>>>> domain master = no >>>>>>>>>>> local master = no >>>>>>>>>>> preferred master = no >>>>>>>>>>> os level = 20 >>>>>>>>>>> map to guest = bad user >>>>>>>>>>> vfs objects = acl_xattr >>>>>>>>>>> map acl inherit = Yes >>>>>>>>>>> store dos attributes = Yes >>>>>>>>>>> >>>>>>>>>>> Compare it with yours, I can assure you it works. >>>>>>>>>>> >>>>>>>>>>> Rowland >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> -James >>>>>>> >>>>>> >>>>>> -- >>>>>> -James >>>>> >>>>> OK, you have *now* found out one of the reasons you shouldn't use >>>>> the .local suffix >>>>> >>>>> But does anything else work? >>>>> >>>>> Rowland >>>> >>>> -- >>>> -James >>> >>> OK, well it seems to be a step in the right direction :-) >>> >>> Have you changed 'EXAMPLE' in these lines: >>> >>> idmap config * : backend = tdb >>> idmap config * : range = 2000-9999 >>> idmap config EXAMPLE : backend = ad >>> idmap config EXAMPLE : range = 10000-999999 >>> idmap config EXAMPLE:schema_mode = rfc2307 >>> >>> They need to be changed for your *WORKGROUP* name. >>> >>> Rowland >>> >>> >> >> -- >> -James > > Just change it, stop samba and winbind, run 'net cache flush' and > restart samba & winbind. > > Rowland >-- -James